Although they've been touted by banks as an improved security system as …

Share this story

Although they've been touted by banks as a security improvement over simple password protection, there's study data to indicate that image authentication systems aren't as useful or effective as some think. These systems (my own bank refers to them as "Personal Security Images") present the end user with a previously chosen image, typically at the same time password input is required.

On paper, this doubtlessly sounded like a marvelous idea for creating an additional security barrier between an end user and the soulless minions of evil that would gobble his or her bank account data like Halloween candy. In practice, however, recent tests performed on image authentication systems by study authors Rachna Dhamija and Andy Ozment (et al.) seem to indicate that such measures are less effective than one might think.

In order to test the efficacy of modern-day authentication techniques, users were first divided into three groups. Group 1 was composed of users who were told they were performing everyday banking tasks on a Sunday afternoon. Group 2 was composed of role-players (similar to Group 1), but were told to put an additional emphasis on security. Group 3 was composed of individuals using their own user ID and passwords, at their own banking web site.

Groups were tested with three ascending "stairs" of insecurity. When offered a login page where the "https://" had been removed and a standard "http://" substituted, all 63 participants in all three groups entered their login data and password. When image authentication images were removed and replaced with a generic "This service is being upgraded" tag, 58 of the 60 individuals chose to continue and enter the relevant data. When presented with a dramatic warning page and information indicating that the security certificate for the web site might be unsafe, over half of the participants (30 out of 57) still decided to enter their login data and proceed.

It's worth noting, as the study authors did, that breaking down the data on which groups chose to proceed yields different results. Although a total of 30 people chose to proceed despite the warning page, a majority of those people were in groups of role players (22 out of 35). Of the remaining group (those using their own personal information), only eight of 14 chose to continue and log in to the service.

Even after factoring in the role-playing element, however, this study raises questions regarding the efficacy of image authentication systems in general. Even when presented with clear evidence that the image authentication system was not functioning and hence could have been compromised, the vast majority of users (97 percent) chose to enter their login information and proceed.